In response to the numerous DNS hijacking attacks the UK’s National Cyber Security Centre (NCSC) issued an alert to warn organizations of this type of attack.
“In January 2019 the NCSC published an alert to highlight a
“Since that alert was published we have observed further activity, with victims of DNS hijacking identified across multiple regions and sectors. This Advisory covers some of the risks for
DNS hijacking is the practice of subverting the resolution of
The Domain Name System (DNS) is the service responsible for pointing the web browser to the right IP address when we navigate to a web domain.
According to a report recently published by Avast, for nearly a year, Brazilian users have been targeted with router attacks. In the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.
This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to modify DNS settings of targeted routers.
Recently, experts at Cisco Talos published a detailed analysis of the DNS hijacking campaign conducted by Sea Turtle threat actor for espionage purposes.
UK’s NCSC explains the variety of motivations and objectives behind DNS hijacking attacks ranging from taking down or defacing a website, to intercepting data.
The main risks enumerated in the report are:
To prevent phishing attacks, NCSC recommends using unique, strong passwords, and enabling multi-factor authentication when the option is available.
To prevent registrar accounts from being compromised using familiar Account Take Over (ATO) techniques (i.e. Phishing, Credential
Restricting access to these accounts only to personnel charged with the management of the registrar accounts.
“Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed.” continues the report. “A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner.”
In case an organization runs its own DNS infrastructure, the NCSC recommends implementing access and change control systems that can provide backup and restore
NCSC also recommends implementing SSL monitoring and Domain Name System Security Extensions (DNSSEC) specifications.
Early 2019, DHS issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e.